How Does HIPAA Affect Mental Health Care Professionals?

The Health Insurance Portability and Accountability Act (HIPAA) is an important aspect of the standard of care when it comes to security and privacy regarding electronic records. The two main questions that many mental health care professionals pose in relation to HIPAA are:

If I am a solo practitioner, do I need to comply with HIPAA?

Do I need to become HIPAA compliant even though I do not submit electronic bills to insurance companies?

Many therapists and mental health organizations believe they are exempt from the HIPAA regulations if they do not electronically submit bills to insurance. While electronic billing to insurance is the primary trigger for the need to be HIPAA-compliant, there are several other electronic transactions that do so as well. These include, but are not limited to, health care claims, coordination of benefits, and referral certification and authorization.

HIPAA’s three main rules are the Privacy Rule, Transaction Rule, and Security Rule. This post will focus on the Privacy Rule, which dictates when and to whom confidential patient information can be disclosed, and the Security Rule, which seeks to assure the security of confidential electronic patient information. According to the American Psychological Association, the Privacy Rule and Security Rule both apply to all health care providers, including psychologists and solo practitioners.

What Does HIPAA Require?

HIPAA regulations adopt standards for securing the storage of health care information, transmitting electronic claims, and protecting the privacy of individuals' medical records. HIPAA’s main purpose is to make sure that Protected Health Information (PHI) is properly handled. PHI is individually identifiable health information that is transmitted or maintained by a covered entity (such as a health care provider) and its business associates.

Under HIPAA, certain restrictions apply if and when PHI is transmitted electronically. HIPAA Security Rule requires that those subject to HIPAA maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI.

Administrative safeguards address the implementation of office policies and procedures, staff training, and other measures designed to carry out security requirements. Physical safeguards require providers to implement policies and procedures that limit physical access to electronic and physical information systems (e.g., computers, files, etc.) and the facilities (e.g., a business office) in which the records are housed. Examples might be as simple as a lock on the door of the room in which the computers are located or as complex as a retinal scan. Technical standards require a provider to create policies and procedures that govern the technical aspects of accessing PHI within computer systems by appropriate persons, such as implementing access controls, regularly updating and running anti-virus and firewall software, using and regularly changing individual passwords, using secure transmission systems or encryption when e-mailing or transmitting patient data.

Given these requirements, best practices are:

develop an understanding of the HIPAA regulations;

designate a Privacy Officer and/or committee if relevant;

create, adopt, and implement privacy procedures;

train employees so they understand the privacy procedures;

secure patient records that contain protected health information so that they are not readily available to those who don't need them but are to those that do;

ensure the privacy of records in the offices by installing locks and monitoring access to the records;

take very basic computer precautions by installing passwords and firewalls when appropriate;

consult with an IT professional to make sure that equipment hardware and software are properly secured and that only secure and appropriate cloud storage solutions are used; and

prioritize the confidentiality of patient information and the security of PHI.